From 825fc4892ee7ec3cff83b2754cd921c0157e62f8 Mon Sep 17 00:00:00 2001
From: Neale Ranns <nranns@cisco.com>
Date: Wed, 10 Oct 2018 13:27:00 +0000
Subject: [PATCH] Integer underflow and out-of-bounds read (VPP-1442)

Change-Id: Ife2a83b9d7f733f36e0e786ef79edcd394d7c0f9
Signed-off-by: Neale Ranns <nranns@cisco.com>
---
 src/vlib/buffer_node.h | 13 +++++++++----
 src/vppinfra/string.h  |  8 ++++----
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/vlib/buffer_node.h b/src/vlib/buffer_node.h
index 93ffb1e9dce..35e15a5d919 100644
--- a/src/vlib/buffer_node.h
+++ b/src/vlib/buffer_node.h
@@ -366,10 +366,15 @@ vlib_buffer_enqueue_to_next (vlib_main_t * vm, vlib_node_runtime_t * node,
       n_enqueued = count_trailing_zeros (~bitmap) / 2;
 #else
       u16 x = 0;
-      x |= next_index ^ nexts[1];
-      x |= next_index ^ nexts[2];
-      x |= next_index ^ nexts[3];
-      n_enqueued = (x == 0) ? 4 : 1;
+      if (count + 3 < max)
+	{
+	  x |= next_index ^ nexts[1];
+	  x |= next_index ^ nexts[2];
+	  x |= next_index ^ nexts[3];
+	  n_enqueued = (x == 0) ? 4 : 1;
+	}
+      else
+	n_enqueued = 1;
 #endif
 
       if (PREDICT_FALSE (n_enqueued > max))
diff --git a/src/vppinfra/string.h b/src/vppinfra/string.h
index 8f165dfa18e..2c794baf71f 100644
--- a/src/vppinfra/string.h
+++ b/src/vppinfra/string.h
@@ -356,7 +356,7 @@ clib_count_equal_u64 (u64 * data, uword max_count)
 #endif
   count += 2;
   data += 2;
-  while (count < max_count - 3 &&
+  while (count + 3 < max_count &&
 	 ((data[0] ^ first) | (data[1] ^ first) |
 	  (data[2] ^ first) | (data[3] ^ first)) == 0)
     {
@@ -424,7 +424,7 @@ clib_count_equal_u32 (u32 * data, uword max_count)
 #endif
   count += 2;
   data += 2;
-  while (count < max_count - 3 &&
+  while (count + 3 < max_count &&
 	 ((data[0] ^ first) | (data[1] ^ first) |
 	  (data[2] ^ first) | (data[3] ^ first)) == 0)
     {
@@ -492,7 +492,7 @@ clib_count_equal_u16 (u16 * data, uword max_count)
 #endif
   count += 2;
   data += 2;
-  while (count < max_count - 3 &&
+  while (count + 3 < max_count &&
 	 ((data[0] ^ first) | (data[1] ^ first) |
 	  (data[2] ^ first) | (data[3] ^ first)) == 0)
     {
@@ -560,7 +560,7 @@ clib_count_equal_u8 (u8 * data, uword max_count)
 #endif
   count += 2;
   data += 2;
-  while (count < max_count - 3 &&
+  while (count + 3 < max_count &&
 	 ((data[0] ^ first) | (data[1] ^ first) |
 	  (data[2] ^ first) | (data[3] ^ first)) == 0)
     {
-- 
2.16.6